Standing order database search system and method for internet and intranet application

ABSTRACT

An internet and/or intranet based database search system and method for conducting searches of highly confidential records such as individual patient medical records and to automate the process of securing required approvals to make such records available to a properly authorized and authenticated requesting party. The system&#39;s central premise is that the patient has a fundamental right to the confidentiality of their personal medical records and should control that right through specific, informed consent each time that a party requests to receive them. It reinforces the widely held conception of privacy in general as well as of the sanctity of the doctor/patient relationship by granting the doctor the right, subject to the patient&#39;s express permission, to initiate a search request. At the same time, it provides an expedited and cost-efficient means for transfer of such records as demanded by many healthcare reform proposals and gives the repositories where these records are held the right to stipulate the specific terms and conditions that must be fulfilled before they will release documents entrusted to their care, thereby substantially reducing the risk of litigation alleging breaches of patient confidentiality. And it carries out all of these legitimate interests in a way that is fast, simple to use and easy to audit. The system optionally includes a billing mechanism to pay for any added cost associated with providing this additional protection; and in its preferred embodiment, is applicable to both digital as well as non-digital records.

CROSS REFERENCES TO RELATED APPLICATION

This application is a continuation application of U.S. patentapplication Ser. No. 11/231,561, filed on Sep. 21, 2005 and claims thebenefit of U.S. Utility patent application Ser. No. 09/025,279, filed onFeb. 18, 1998, now U.S. Pat. No. 7,028,049 which are hereby incorporatedin their entirety by reference.

BACKGROUND OF THE INVENTION

This invention relates generally to the field of transmission of medicalrecords, and more particularly to a standing order database searchsystem and method for such transmission having Internet and intranetapplication.

In a recent Harris poll, 85% of respondents said they believe protectingthe confidentiality of medical records is “absolutely essential” or“very important” within healthcare reform. As this survey resultsuggests, people are concerned about the risks powerful, new informationtechnologies could pose to their rights of privacy. In an ironic way,the inefficiencies of the past have served as something of acomfort-despite the fact that more than a quarter of Americansresponding to a 1993 Harris poll said health information about them hadbeen improperly disclosed in the past.

Reflecting the inadequacy of a technological solution to the issue,various leaders have sought a political resolution. In 1995, SenatorRobert Bennett (R-Utah) introduced the so-called Medical ConfidentialityAct of 1995. Although the legislation remains mired in debate, one thinghas become clear from remarks made by both the staunch advocates for thelegislation as well as its numerous dissenting voices, most of whichfeel that its protections are inadequate. This fact is thatcomprehensive protection must be devised to guarantee theconfidentiality and integrity of computer-based patient records as wellas the data networks to carry such information.

None of the prior technologies has been able to strike this balancebetween protecting confidentiality and facilitating the transfer ofindividual medical records. The San Jose Mercury News, a widelyrecognized online resource for Silicon Valley companies reported thefollowing headline in its Mar. 4, 1997 edition: “The electronic privacyissue is shaping up as a major-league battle in the 105th Congress.” OnMar. 5, 1997, Wired Magazine reported in a story entitled “Panel UrgesMedical Data Protection” as follows: “Right now, if your medical recordsare on a computerized database or are transmitted, you run the risk ofhaving them seen by people you never dreamed would be perusing yourhealth information.”

The deficiency in prior technology to deliver the combined benefit ofadequate protection of confidentiality and support for an ubiquitous,easy-to-deploy and use, and cost-effective means for the transfer ofmedical records is perhaps best noted in the written and oral testimonybefore various Congressional committees debating privacy legislation.

During his Jan. 13, 1997 opening remarks before the National Committeeon Vital Health Statistics, Subcommittee on Privacy and Confidentiality,Dr. Robert Gellman, a privacy and information policy consultant inWashington and the subcommittee chair stated: “We intend to cover thefull range of fair information practices issues, including patient'srights, limits on use and disclosure of information, healthidentification numbers, pre-emption of state laws and privacy-enhancingtechnologies when available, sometimes known as PETs—privacy-enhancingtechnologies.”

The subcommittee's first witness, Dr. David Korn, Professor ofPathology, and immediate past Vice President of Stanford University,Dean of the Stanford Medical School and a distinguished scholar inresidence at the AAMC, stated: “The difficult challenge before thiscommittee is to find a point of balance that will enable to us toenhance the security of confidential medical information and reduce theprobability of its misuse, without substantially impairing the accessand communication that are essential to the effective delivery ofmedical care, the efficient functioning of the health care deliverysystem and the pace of biomedical and health services research.” Dr.Korn concluded his remarks by stating, in part, “[G]iven therequirements for access and communication in the real worlds of medicalcare and biomedical research, such levels of security in my judgment arefanciful.”

On Feb. 3, 1997, David L. Larsen, Director of Health Care Services atSalt Lake City-based Intermountain Health Care (IHC), testified onbehalf of the American Association of Health Plans (AAHP) whichrepresents 1,000 HMOs, PPOs, and similar network plans providing care toover 120 million Americans. In his testimony, Mr. Larsen stated: “AAHPsupports this Committee's efforts to protect against the unauthorizedand inappropriate use of patient information while at the same timefacilitate the coordination and delivery of high quality, network-basedhealth care. It is important that your recommendations recognize thespecial needs of integrated delivery systems.

“In order to manage and improve the health outcomes of the population weinsure, we must be able to share information among IHC corporateentities—our physicians, hospitals, and health plans. IHC has developedelectronic medical records and common databases to facilitate thiscommunication. Preventing the creation of these common databases,limiting the type of data which can be shared within the IHC integrateddelivery system, or requiring a patient's authorization for each andevery transaction and transfer of data, would severely limit IHC'sability to measure and improve the health outcomes of our enrollees.”

Robert B. Burleigh, President of Brandywine Healthcare Services andConsultant to the Board of Directors of the International BillingAssociation (IBA), the only trade association representing third partymedical billing companies, also testified before the National Committeeon Vital and Health Statistics Subcommittee on Privacy andConfidentiality on Feb. 3, 1997. In his testimony, Mr. Burleigh stated:“[Section 111 (d) of the proposed legislation] provides that a healthinformation trustee may disclose protected health information only ifthe recipient has been notified that the information is protected healthinformation . . . ’ In the normal course of business today, thetechnical means of notifying a recipient of (proposed) protected healthinformation, prior to, or concurrently with, disclosure does not exist.”

Mr. Burleigh concluded his testimony with the following warning: “We areconcerned that an unintended result of this proposed legislation wouldbe the decision by providers to discontinue accepting insurance coveragein order to avoid the burdensome (in their view) new duties of securinginformed consents, providing disclosures, maintaining new disclosurelogs and related records, and other proposed responsibilities.”

On February 18, Lauren Dame, staff attorney at Public Citizen's HealthResearch Group, a non-profit organization founded in 1971 by Ralph Naderand Dr. Sidney Wolfe, testified before the committee. In her preparedremarks, Ms. Dame stated: “As medical records are computerized and thereis increased disclosure of sensitive medical information—as we believethere will be—many of the problems consumers face today will beexacerbated unless strong privacy protections are included in anyregulations developed . . . [P]rivacy for medical information is animportant value in and of itself. People feel very strongly that theyshould have control over the dissemination of what amounts to highlyintimate and private information about themselves.

“[W]e believe that any effort to regulate the use and development ofcomputerized patient medical records should begin with the propositionthat . . . personally identifiable patient information should not bedisclosed without the informed consent of the patient. (And, by“informed consent”, I do not mean the kinds of blanket consent orrelease forms patients currently are forced to sign in order to obtainhealth insurance, which basically give the insurers the right to collectany medical information they want, and to do with it what they will.)”

Ms. Dame concluded her remarks with this statement which indicates thesolutions have yet to be devised: “[Y]ou have heard from insurers,providers, and processors of data, and no doubt most of them havepainted glowing pictures of the great increases in efficiency and costsavings associated with computerizing medical records and with limitingprivacy protections. While in some areas, the interests of all of usmight be accommodated, often you will be faced with some hard choices .. . In making your recommendations to the Secretary, I urge you to erron the side of protecting the privacy and confidentiality ofpersonally-identifiable medical information. As a society, we can alwaysmodify regulations to increase data exchange if experience shows us thatwe can safely do so. But privacy, once lost, cannot be recaptured.”

On Feb. 19, 1997, Dr. Denise Nagel, a physician, instructor at HarvardMedical School and co-founder of the National Coalition for PatientRights, an organization whose mission is to protect and preserve privacyand confidentiality in medical care, testified for that organization andon behalf of the American Psychoanalytic Association and the Associationof American Physicians and Surgeons. During her testimony, Dr. Nagelquoted the 1996 Time/CNN poll which “found that 87% of Americansbelieved that ‘laws should be passed that prohibit health careorganizations from giving out medical information without firstobtaining the patient's permission.’” and commented that “the samepercentage of people in a 1993 Louis Harris poll trusted their ownproviders but most (71%) believed that ‘if privacy is to be preserved,the use of computers must be sharply restricted in the future.’” Dr.Nagel stated her opinion: “Rules that conform to these views wouldrequire consent for placing personal information in a computer systemand consent for the disclosure of identified information, except in rarecircumstances.”

Merging these two fiercely advocated perspectives—efficiency of a systemfor delivering records and informed consent—into a single system is oneof the essential missing features of the prior art.

SUMMARY OF THE INVENTION

The primary object of the invention is to better protect theconfidentiality of medical records.

Briefly, the present invention comprises a medical data base supervisorycontrol system comprising: (a) at least one data base including medicaldata individually relating to each of a plurality of patients; (b)internet and/or intranet means for requesting and accessing said medicaldata; (c) means for identifying medical data for each of said patientswith conditions required for accessing of said medical data; and (d)data processing means for comparing said request with said conditionsrequired for access of said data and, when said request fails to complywith said conditions, for denying access to said data.

The invention also comprises a method of controlling access to medicaldata in a medical data bases comprising: (a) maintaining at least onedata base including medical data individually relating to each of aplurality of patients; (b) identifying medical data for each of saidpatients with indicia indicative of conditions required for access ofsaid medical data; (c) selectively introducing internet and/or intranetrequests for access to said data; and (d) comparing said requests withsaid conditions; and, when said requests fail to comply with saidconditions, automatically denying access to said data.

OBJECTS AND FEATURES OF THE INVENTION

One general object of the invention is to provide an opportunity for theinformed consent by the patient for such records to be made available tohealthcare providers and trustees, such as payers, auditors, and thelike.

Another object of the invention is to assist doctors, hospitals, andother healthcare providers, as well as to health insurance payors assesswhether a procedure recommended by a health care provider is one thatshould be covered by the insurance.

A further object of the invention is to simplify the process of securingsecond opinions.

Yet another object of the invention is to reduce the time involved intransmitting medical data from one health care provider to another andthereby to ensure prompt patient treatment and care.

Still yet another object of the invention is to automate the process ofsecuring required approvals to make a patient's personal medical recordsavailable to a medical service provider such as a doctor or hospital.

Another object of the invention is to provide a fully integrated systemand method for conducting searches of data bases while protecting theprivacy of such data bases, particularly of medical data bases by healthcare providers.

Another object of the invention is to provide automated approval foraccess to a data base of confidential records and transmission of datatherefrom once appropriate approval is received.

A further object of the invention is to provide for patient approval ofaccess to medical records in data bases.

Yet another object of the invention is to permit health care providersto conduct searches from any Web browser.

Still yet another object of the invention is to permit health careproviders to conduct searches from any Java-enabled Web browser.

Another object of the invention is to make possible the interoperabilityof widely-used desktop applications within the deeply fragmentedhealthcare industry.

Another object of the invention is to provide a way that every word in acomputer-based patient record (or records index) database is indexedwith a gateway to the World Wide Web.

A further object of the invention is to provide a means by which theseindexed words are made available to searchers through a system designedto assure both the privacy of these records and the security of thelegacy systems on which the original documents are held.

Yet another object of the invention is to provide easy and rapidmigration of new computer-based patient record systems and applicationsin the future as set forth in U.S. Pat. No. 5,301,105.

Still yet another object of the invention is to readily search a masterindex of patient records through the Internet or intranet.

Another object of the invention is to automate the approvals processrequired in order to retrieve relevant items identified as a consequenceof a search of patient records and/or indexes thereof.

Another object of the invention is to improve the quality of patientcare, reduce the cost of healthcare, and eliminate duplication ofefforts.

A further object of the invention is to deploy data warehouse/decisionsupport system (DW/DSS) technologies to a large numbers of users acrossorganizational boundaries while relying upon conventional client/servertechnology.

Yet another object of the invention is to optimize the use of theInternet and World Wide Web as a distribution channel for personalmedical records without compromising the vital healthcare andprofessional service industry considerations of confidentiality, privacyand economics.

Still yet another object of the invention is to provide forauthentication of the identity of the requesting party in any databasesearch.

Another object of the invention is to provide for authentication of theidentity of the party about whom the records pertain in any databasesearch, and to provide such person with an express opportunity to eitherapprove or decline whether such records may be transferred on acase-by-case basis as database search requests are received.

Another object of the invention is to prevent tampering and messageforgery of the means for authenticating the identity of the personsrequesting a database search, the person about whom the records pertainand any other parties whose express permission is required in order thatsuch records may be transferred.

A further object of the invention is to assure that every step in theapprovals process is appropriately completed.

Yet another object of the invention is to provide a means by which theperson requesting information can determine the approximate time periodrequired to retrieve and deliver the information once all approvals arecomplete, the available type(s) of media on which the document can bedelivered and the cost (if any) for this information to be forwarded tothe requesting party.

Still yet another object of the invention is to provide a quick andintuitive means for the searcher to specify which records they wouldlike to retrieve, indicate a priority level for this to occur, selectthe preferred means for transmittal of the documents and confirm thepayment arrangements with the party holding such records.

Another object of the invention is to provide searchers with a means tocreate a “standing order” that will automatically prompt an attempt toretrieve certain types of materials and information under pre-specifiedcircumstances.

Another object of the invention is to make possible contacts withpersons who do not have an email account by provision for automaticgeneration of a fax, letter or phone call to communicate approvalsrequests to such persons.

A further object of the invention is to provide for the administrator ofthe database where the records are held to specify in advance thecondition or conditions which must be met in order for the release ofthis information to occur from such database.

Yet another object of the invention is to enable this approvals processto occur without requiring any case-by-case action by the databaseadministrator, and thereby to avoid any waste of resources on thoserequests for which a party does not grant specific authority for a copyof the records to be shared with the requesting party.

Still yet another object of the invention is to provide the requestingparty a means by which to designate certain requests for priority actionand thereby expedite these requests.

Another object of the invention is to permit complete control over alldocuments in the hands of the data administrator, while simultaneouslyundertaking on such administrator's behalf through the system all of thetime-consuming paper-intensive and often thankless tasks involved insecuring proper proof and documentation for releasing inherentlysensitive medical records.

Another object of the invention is to provide a means to accommodaterecords that are stored off-line and that require magnetic tapes to bemounted and/or copies to be made of documents preserved in a non-digitalform, such as in paper records, x-rays, photographs, and on micro-ficheor floppy disk.

A further object of the invention is to create a comprehensive securitylog which can act as proof that all authorizations for release and/ortransfer of the records are complete.

Yet another object of the invention is to provide complete security ofdata and data bases together with an off-site audit trail.

Still yet another object of the invention is to permit dataadministrators a means by which to keep their system that is connectedto the Internet or an intranet physically disconnected from the legacysystem on which sensitive records are held except during the batchprocess of uploading pre-designated and fully-approved requests for suchdocuments.

Another object of the invention is to provide secure protection of thelegacy system and thereby to make it virtually impossible for a personto gain unauthorized access to that computer system or any of therecords contained on it.

Another object of the invention is to provide a secure online cache fortemporary storage of requested information from the legacy system.

A further object of the invention is to provide a means for informingthe requesting party when any documents previously requested have beensubmitted to the temporary cache and are, thus, available for their use.

Yet another object of the invention is to provide tracking informationconcerning all transmitted materials, which information can be used tolocate these documents in the event they are not timely received.

Still yet another object of the invention is to provide a means todramatically reduce response times required for a searcher to get copiesof highly confidential and private data or records, therebysignificantly lowering overhead costs, while maintaining total documentcontrol and security.

Another object of the invention is to allow for presentation of displayadvertising as a means by which to help defray costs associated withcreating and maintaining the system.

Another object of the invention is to provide for the integration ofelectronic commerce features that will enable hospitals, testing labs,physicians, and the like, to charge for the transfer of a patienthistory, comprehensive medical records, lab reports, test results,prescription drug records, administrative and payment records as afurther means by which to help defray costs associated with creating andmaintaining the system.

A further object of the invention is to provide an indication of thestatus of a searcher's request, and of the transfer of requesteddocuments pursuant thereto.

Yet another object of the invention is to provide an incentive tophysicians to upgrade their office computing systems.

Still yet another object of the invention is to shift the administrationof patient records from being a cost center to a profit center.

Another object of the invention is to provide an incentive fororganizations to make their information as relevant as possible toothers in the healthcare industry.

Another object of the invention is to provide a means by which thetraditional information flow (from a centralized database, hospital orlab TO an individual physician) can also function in reverse, dependingon the types of information requested, and to thereby permit patientrecords held by independent doctors' offices and clinics to be asaccessible as data held in a central data base warehouse, including anyhospital or testing laboratory.

A further object of the invention is to provide a means for secondaryresearchers to review as broad a database as possible from searching ofpatient records in order to support their research efforts, treatmentefficacy studies, expert systems, artificial intelligence programs andother efforts to improve future decision-making and payment processes asset forth in U.S. Pat. No. 5,301,105.

Yet another object of the invention is to permit physicians to sharepatient records with authorized third-parties without incurring asignificant increase in time or administrative overhead costs.

Still yet another object of the invention is to permit physicians toshare patient records with confidence that litigation will not ensueconcerning their having breached patient confidentiality, and that willassure the presence of full evidentiary documentation of the proprietyof such action in the event there is a subsequent question concerningtheir action.

Another object of the invention is to speed up and reduce the costnecessary to conduct the adjudication and utilization review functionsset forth in U.S. Pat. No. 5,301,105.

Another object of the invention is to expedite and reduce the cost ofmedical review and payment evaluation procedures desired for healthcarereform in order to lower overall costs.

A further object of the invention is to provide a means forcomprehensive protection for the confidentiality and integrity ofcomputer-based patient records.

Yet another object of the invention is to provide a means forcomprehensive protection for the confidentiality and integrity of thedata networks that carry medical records and information.

Still yet another object of the invention is to provide a more secure,more error-free and tamper-resistant system for accessing medicalrecords.

Another object of the invention is to allow patients the opportunity togive specific informed consent every time that any information aboutthem is desired by third parties—a level of control and protection whichaccording to a recent TIME/CNN poll, 87% of all Americans indicate theydesire, but which extensive contemporaneous testimony by industryleaders indicates is not available, unlikely and/or impossible given allknown and foreseen technology.

Another object of the invention is to reduce the risk of exposure tolitigation alleging breaches of patient confidentiality by persons andinstitutions holding and/or transferring medical records.

A further object of the invention is to allow different types ofdatabases to be accessed and to thereby permit numerous organizationsand software developers to work in parallel to write enhancements, tocustomize individual installations and to provide additionalfunctionality without reducing the ubiquity of the overall system.

All of the foregoing features are integrated and include interactiveparticipation with healthcare providers and trustees.

The foregoing and other objects and features of the invention will beapparent from the following detailed description, by way of adescription of a preferred embodiment, with reference to the drawings.

Other objects and advantages of the present invention will becomeapparent from the following descriptions, taken in connection with theaccompanying drawings, wherein, by way of illustration and example, anembodiment of the present invention is disclosed.

The drawings constitute a part of this specification and includeexemplary embodiments to the invention, which may be embodied in variousforms.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting principal functions of the instantinvention as applied to searching medical records data bases;

FIG. 2 is a block diagram illustrating process flow of the search of theindex of information of interest portion of the system and method;

FIG. 3 is a block diagram illustrating process flow of the periodicupdating of the searchable index portion of the system and method;

FIG. 4 is a block diagram illustrating process flow of the request andapproval portion of the system and method;

FIG. 5 is a block diagram illustrating process flow of the datarequested to an on-line cache memory portion of the system and method;and

FIG. 6 is a block diagram illustrating process flow of the notificationof availability for retrieval, or tracking of information in accordancewith the instant invention, and for the upload of such information whenin a digital form.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Detailed descriptions of the preferred embodiment are provided herein.It is to be understood, however, that the present invention may beembodied in various forms. Therefore, specific details disclosed hereinare not to be interpreted as limiting, but rather as a basis for theclaims and as a representative basis for teaching one skilled in the artto employ the present invention in virtually any appropriately detailedsystem, structure or manner.

While the instant invention is applicable broadly to systems and methodsof searching data bases requiring prior approval for confidentialaccess, it will be described with respect to medical records data basesaccessible over the Internet where access requires approval by one ormore third parties, such as a patient. It will be evident that a localarea network (LAN), intranet or wide area network (WAN) can also beutilized.

Referring to the drawings, FIG. 1 depicts the principal components of apreferred system in accordance with the principles of the invention.Shown as 10 a 10 c are clients, i.e., healthcare information usersrequiring access to medical records and patients for whom such recordsare held. Such healthcare information users can be hospitals, doctors,nursing services, nursing homes, insurance companies, patients,druggists, employers, and the like. For ease of illustration theinvention will be further described with the healthcare information userbeing a doctor.

Before describing the system and method in detail and referring to thedrawings, it will be evident that the client, i.e., the doctor, willneed to have an adequate conventional computer terminal and printer andthat the terminal be connected as by telephone 31, 32, or 33, orsatellite or other means to the Web by means of any conventionalInternet service provider. Links 30, 40 to 51 inclusive, and 60 to 63inclusive are likewise conventional communication paths such astelephone lines, internal connectivity, or the like, all operatingthrough the Internet through Internet firewall gateways 11, 17, and 18.All of these are conventional presently existing techniques foraccessing and gathering information from the Internet. It is alsopossible, of course, to utilize an intranet, LAN or WAN, in lieu of theInternet.

By operating through a conventional Internet service provider, therewill also be available to the client an electronic mail function linkedto the processing system, i.e., the doctor's computer and printer. Whilethe present invention does provide for Non-Digital delivery 70 from aLegacy Data Base 21, it will be evident that for ease and speed oftransmission, it is preferable to utilize electronic mail.

In short, the instant system and method utilize existing computerhardware and existing communication links, such as the Internet andintranet, in order to access data bases without compromising the vitalconsiderations of privacy of patient information and rigorous control ofaccess, as well as retaining records of the access requester.

Moreover, as used herein, the terms, “server”, “cache”, “interfaceengine”, “queue”, and “agent” have the standard meanings used by thoseskilled in this art. The term “Legacy Data Base” means any existing database such as a doctor's records or medical records of a hospital,nursing home, and the like. “Master Index” means an index of informationin the system. Lastly, “Firewall” refers to the usual known securitylayer(s) provided in computerized systems to permit access to certainfiles only to those having the necessary “password(s)”. The Internet,for example, gives users their own private password.

To initiate a search, the requesting physician, 10 b, will simply enterthrough his or her computer the search criteria into the relevant queryfields and press the submit button. Although this search can beinitiated from any Java-capable Web browser, originating a searchrequest will require authenticating the identity of the requestingparty, as is presently conventional with Web users.

When the request is made from the physician's own machine, this canoccur through a digital certificate, such as VeriSign's Class 2 DigitalID. If the requesting physician is using another machine as a guest,authentication can occur through a smart card such as offered by anumber of firms to provide irrefutable evidence of the owner's identity.All traffic can be encrypted to prevent tampering and message forgery.Firewall 11 prevents any unauthorized entry.

Generally, the query will be divided into two parts. The first willidentify the patient, and may include their name, Social Security numberand any other identifier used from time to time. The second part willconsist of a word, or a series of words, that will narrow the searchresults to the topic of interest.

The search interface will also permit the optional use of Booleanoperators and a number of other search parameters including data type,document type, start and end date for the records, ordering physician'sname and locations where work was previously conducted, in order to moreaccurately specify what he or she is looking for.

After entry is approved and the order submitted, the search engine,Server 12, will produce a prioritized index from Master Index 13 of alldocuments meeting the specified criteria, together with a hypertext linkor similar connection to an order form for securing a copy. The searchresults will report the approximate number of documents found that matchthe search criteria; the title and type of each such document; and thedate it was created, name of the ordering physician and location (orlocations) where these records are held.

The instant system and method have conventional associated software withsuitable graphical user interface and readily-understandable icons forkey functions. The physician can simply click on the icon associatedwith any item on the list and this will bring up its first 13 lines oftext or other description of the document and an order form indicatingall of the approvals required before the holder will release it. Thisform will also specify the approximate time period required to retrieveand deliver the information once all approvals are complete, theavailable type(s) of media on which the document can be delivered andthe cost (if any) for this information to be forwarded to the requestingparty.

Through a series of programmed commands, such as mouse clicks on aresults form, the physician will specify which records he or she wouldlike to retrieve, indicate a priority level for this to occur, selectthe preferred means for transmittal of the documents, and confirm thepayment arrangements. Alternatively, the physician can create a“standing order” that will always attempt to retrieve certain types ofmaterials, such as “Give me anything you have in the way of blood workfor all known identifiers used for this patient over the last 3 years.Use the fastest transmission means available. Payment for all relatedcharges guaranteed.”

As shown in FIGS. 1 and 4, both the initial order process and standingorder database request will initialize a workflow agent, represented byApprovals Agent 16, to seek the relevant approvals indicated by the dataadministrator or the Legacy Base 21, where the records are held.Although e-mail is the preferred means to communicate this request forapproval to release this or these records, Approvals Agent 16 can alsoautomatically generate a fax request, telephone call ormachine-generated conventional letter to any persons who do not have ane-mail address.

Data items may be categorized with attributes which identify levels ofsensitivity, accessibility, release approvals required and other relatedconsiderations relevant to access, encryption, authorized mode oftransfer, and the like. Thus, when a request for release is received,the relevant attributes provide a ready way to automatically obtainimportant customized information tailored to each individual data item.

By way of illustration, a patient may give prior approval and it be onrecord in the system as a data item that as to any future request by anydoctor or medical institution, there is the automatic pre-authorizationby such patient for the release of his medical data to such doctor ormedical institution.

The second stage search service begins when the doctor submits acompleted order form. Approvals Agent 16 acts as a message-passingserver, responding to the orders it receives and the conditionsprescribed by the data administrator of any Legacy Data Base 21 forrelease of this information, and in turn, contacts other resources overthe network or via fax to secure these approvals. In an idealcircumstance, such persons will be other clients 10 a and 10 c, butcould be persons outside the user's with known connections to theInternet.

For standard turn-around, this automated process of securing all relatedapprovals is undertaken before the data administrator is informed that arequest has been made for these records. This avoids any waste ofresources on those requests for which one or more party does not grantauthority for a copy of the records to be shared. In expedited requests,the data administrator will be informed with respect to any materialsthat have a longer lead time so that these can be placed into the queuefor immediate processing once the required approvals are secured.

The parties who's approval is required by the administrator of theLegacy Data Base 21 where the records are held, will receive anautomatically generated message from the Approvals Agent 16, indicatingthat a request has been made for the records selected by the requestingclient 10 b. This message will specify the name of the requesting party,the nature of his or her interest, the title and location of thedocument requested, and a summary description of the information beingsought, as well as the date on which it was created, and such otherinformation deemed appropriate for time-to-time. The notice will providean icon for easy selection by the recipient to indicate his or herconsent, or denial, of such provision together with means forauthenticating his or her identify, all expressly applied by the dataadministrator.

In the event the party is not one of clients 10 a or 10 c, but rather isan off-line user, the approval agent will automatically generate arequest by a facsimile or mail to the last known address of the party.Alternatively, if a standing provision has been given by the party forrelease of their records in the specific circumstances fulfilled by therequester, then such approvals will be granted automatically. In theevent of faxed or mailed approval requests, the recipient will be askedto contact the requesting client, 10 b, or the administrator for theLegacy Data Base 21 to indicate his or her approval and to provideevidence of such consent, together with proof of his or her identity.

This implementation system and method leave control over all documentsin the hands of the data administrator, while simultaneously delegatingto the instant system all of the time-consuming, paper-intensive andoften thankless tasks involved in securing proper proof anddocumentation for releasing inherently sensitive medical records.

The instant system and method take into account the likelihood that manyof the requested records may be stored off-line, requiring magnetictapes to be mounted and/or copies to be made of documents preserved in anon-digital form, such as in paper records, x-rays, photographs, and onmicro-fiche or floppy disk.

When Approvals Agent 16 receives all of the required authorizations forrelease of the records request, it will automatically generate a messageto the data administrator where these records are held notifying him ofthis fact and asking that he retrieve and transmit the documents to therequesting physician. This notification will also include a copy of thesecurity log showing proof that all authorizations are complete; specifythe requested mode of transmittal (e.g., mail, fax, overnight deliveryor network transmission) and verify that all related charges are paid Ifthe Approvals Agent “times out” before all approvals are in place, itwill automatically generate a message to the requesting party, client 10b, indicating the name of the person or persons whose approval orapprovals have not been received so that the requesting client mayattempt to contact that person or persons directly or, alternatively, toterminate the document retrieval request.

According to a 1996 survey of 1,320 chief information officers (CIO's)and other senior information executives conducted by Ernst &Young/InformationWeek, “nearly three-quarters (71 percent) of theexecutives surveyed expressed a lack of confidence in the security oftheir computer networks”, and listed an unsecured Internet connection asone of the major areas of vulnerability. The instant system providescomplete security and an off-site audit trail.

The present invention provides three layers of security for data in anyLegacy Database 21, which horizontal rectangle is meant to includerecords held in both an on-line digital form, including in a data mart,warehouse or the like, as well as off-line in digital form, and off-linein a non-digital form, such as on diskettes, magnetic tapes, paper ormicro fiche, or the like. For purposes of this description, thepreferred embodiment will be a digital record or “computer-based patientrecord”, often referred to in the field as a CPR. First, the messageasking release of the records will only originate from the system bot(meaning computerized robots), authenticated by its own unique digitalsignature, as opposed to an unknown network user. Second, the requestwill be made to the data administrator, who's computer where thisRequest Cache 20 is maintained can be kept physically disconnected fromthe Legacy Database 21 except during the batch process of uploadingpre-designated and fully-approved documents. And finally, this processwill involve manual entry-albeit very easy as through clicking ondesignated icons—by the data administrator, who acts as a last filter inthe case of observing any unusual activity in the Request Queue 20.

The present system and method provides a graphical user interface (GUI)which will prompt the administrator to enter the tracking number for anyrecords that are transmitted other than by the Internet, including bycourier, mail, or facsimile; and will note the actual date oftransmittal via such other modes. Those documents that are held ason-line computer-based patient records will be replicated andtransmitted to the Request Cache 15 over the network via connections 47,50, 51, 62, and 63.

As noted, once all required approvals have been secured for the data,the records that are in digital form are uploaded to a secure RequestCache 15, linked to Server 12, rather than directly to the requestingphysician 10 n. Receipt of the upload or of a message confirming thatthe document(s) have been sent outside the system by non-digitaldelivery indicated by line 70 in FIG. 5 triggers Notification Agent 14to inform the doctor 10 b.

This system and method, similar to the well known “store and forward”technique used in many data bases, results in several advantages. Sincethere is never a direct connection established between Legacy Database21 and doctor 10 b, the design adds one more layer of security. Thissame architecture supports near-real-time and real-time transmissions ifsuch nature is merited by the priority established by the requestingphysician, the approvals conditions stipulated by the data baseadministrator, and the standing order provisions established by thepatients affected.

In addition, the Request Cache 15 eliminates the requirement for thedoctor 10 b to be on line at the time the upload takes place from theLegacy Database 21. A message is sent by Notification Agent 14 thatinforms doctor 10 b that the requested document(s) are available andprovides a hypertext or functionally comparable link for retrieval ofthis information from Request Cache 15. In instances when any documentis not in a digital form and was sent by mail, facsimile or courier,Notification Agent 14 will confirm the date and time of transmittal, andprovide tracking information that can be used to locate these documentsin the event they are not timely received.

Upon being notified that the document(s) containing the requesteddetails in Request Cache 15, doctor 10 b will be able to log onto theInternet from any browser, go to the instant system Web site,authenticate his or her identity, and then selectively retrieve andreview these files. Following review, the documents can either bediscarded, copied to a local drive or printed. Alternatively, doctor 10b may request that the information be retained for a specified period oftime on his or her behalf in a secure data warehouse, which can be apartitioned part of the Request Cache 15, or an interconnecting computerused for such purpose (not shown).

The foregoing system and method assures that all parties' interests areprotected at all times. The method will dramatically reduce responsetimes, significantly lower overhead costs and maintain total documentcontrol and security information since these important steps will all becarried out efficiently and transparently by the system.

Periodically, search agent 22 will have provisions from the dataadministrator to search the Legacy Database 21 and update the MasterIndex 13 with every word in every computer-based patient record (orrecords index) database with a gateway to the World Wide Web. In theevent such records are in a computer language other than established bystandards bodies for Internet transmission, the system and methodincorporates an interface engine 19 to translate the records and therebymake them available using the Internet. This interface engine 19 canalso be used to indicate which of the records are indexable and whichare retrievable on an item-by-item basis, all as specified by the database administrator and/or by instruction of the patient.

As will be evident to persons skilled in the art, these attributes willmake all of the records available to searchers through the systemdescribed and simultaneously assure both the privacy of these recordsand the security of the legacy systems on which the original documentsare held. The invention represents improvements over existing recordsdata bases in five key areas: records indexing, access control,automated approvals processing, transactional billing and securedocument caching.

It will be evident from the foregoing description that rather thanconceiving a new database server, data mart, database warehouse orinterface engine to compete with existing systems, there will beutilized such systems as are already on the market or currently underdevelopment by literally hundreds of firms including Microsoft, IBM,Hewlett-Packard, Sybase and SMS. The instant invention embraces andintegrates over the Internet all of the major database systems built forthe healthcare industry and patient records packages running on populardesktop, server and legacy operating systems and organizations withintranets. This concurrently lays the groundwork for easy migration ofnew computer-based patient record systems and applications in the futureby creating a master index of patient records that is easily searchedthrough the Internet.

This results in greater extensibility and a number of capabilities notachieved with other technologies, or other known combinations oftechnologies mentioned above.

The AltaVista Public Search Service developed by Digital EquipmentCompany and other Internet search engines illustrate that while theInternet remains essentially unstructured, it is possible—with enoughsoftware sophistication and computing power—to catalogue the connectedrealm. To index every word on every page of every available Web site,and to make these available to searchers without adding arbitrarystructure or categorization. In effect, as Digital states, “to bringorder and meaning to an otherwise unwieldy behemoth.”

While most of medical records existing today are not even “on theInternet”, more and more is being put into a form that can be put on theInternet. This creates the capability for a doctor to quickly andintuitively search for his or her patient's prior medical records, andautomates the approvals process required in order to retrieve relevantitems indicated within this index.

Moreover, though there are today only a few healthcare databases with aTCP/IP or HTTP compliant interface to index, this provides anopportunity to grow with the migration of technology to the language ofthe Internet and the transactional payment through electronic commercemeans provides an economic incentive for this to occur. By the sametoken, as Ernst & Young concluded in their recent study entitled TheRole of the Internet in Health Care: “The Internet is becoming apervasive force in today's global economy and healthcare organizationsneed to be strategically positioned to participate.” The relevance ofthe instant invention is to improve the quality of care, reduce the costof healthcare and eliminate duplication of efforts as increasing numbersof medical databases are connected to this new distribution channel.

Michael Saylor, President of MicroStrategy Inc., selected by DatabaseProgramming & Design Magazine as one of the twelve most influentialcompanies in the database industry, predicts that the economic potentialof employing the World Wide Web to publish information held in datawarehouses to users outside of the corporations which own these legacysystems could represent a hundred-billion dollar market.

In its preferred form, the instant invention is designed with threeprimary “stakeholders” in mind: the physician, the IS/IT administratorand the patient. Unlike any other medical search engines, the instantinvention takes full advantage of the Internet to access institutionaldatabases while taking into consideration the competing requirements ofrapid access to patient records and medical information, security,privacy and economics.

The value of the information in these existing records and datarepositories is extraordinary. Notwithstanding, the healthcare industryhas so far extracted only a small fraction of the value from thesearchives. This is principally due to the extraordinary difficulty ofdeploying data warehouse/decision support system (DW/DSS) technologiesto large numbers of users across organizational boundaries while relyingupon conventional client/server technology.

The instant invention overcomes this difficulty through the speciallydesigned indexing and search system that will optimize use of the Web asa distribution channel without compromising the vital industryconsiderations, such as privacy, which are unique to healthcare where itis well known that patients and patient advocacy groups are becomingincreasingly aware of the risk of privacy breaches in the future astechnologies improve.

Typically on the Internet, a larger computer functions as a server and asmaller computer (for example, a work station) as a client. Somethingsimilar is also true in healthcare where the legacy database systemsmaintained by hospitals and large testing laboratories are typically thedata providers; and the individual physician's offices are most oftenthe data consumers.

The system of the present invention takes full advantage of theInternet's distribution capabilities and permits this information flowto also function in reverse, depending on the types of informationrequested. Although not shown in the drawings, another client could bethe repository of the data, in fact, acting within the system as LegacyData Base 21. This capability is particularly vital in the healthcareindustry since much of the patient record is distributed betweenindependent doctors' offices and clinics rather than held in a centraldata warehouse, as in other industries.

As increasing numbers of physician offices computerize patient recordsor build computerized indexes of their non-digital records, the instantinvention will make this information available to other medicalprofessionals. The system's automated processes, on line cache andelectronic commerce features will permit physicians to offer thisservice without a significant increase in time or administrativeoverhead; and will provide an economic return to the physician when hisor her office provides patient records to other medical professionals.

As discussed above, the instant system's fine-grained controls limitaccess to documents, directories and database sites. Over the shortterm, these controls can be designed to restrict access for individualpatient records. As inference engines, artificial intelligencealgorithms and other expert systems technologies become more refined andbetter standards for computer-based patient records are adopted for theindustry, the system's architecture also lends itself to filteringcontent and automating the research process involved in makingabstractions over wide databases of individual patient records. Thiscapability serves as an important step toward incorporating theadjudication and utilization review functions set forth in U.S. Pat. No.5,301,105 and the medical review and payment evaluation proceduressuggested in a number of industry white papers and well-regardedarticles concerning healthcare reform.

The healthcare industry has access to very large machines and broadcommunications bandwidth. In this sense, another advantage of theinstant invention is that it provides a means to broaden the network ofphysicians who can use information contained in existing recordsdatabases, as well as adding new database sources in a way that is lesscostly and significantly faster way to implement than using traditionalmethods. Over the longer term, as use of the Internet and computer-basedpatient records increase, the logic of the instant system and methodbecomes even more compelling. The use of open-standards allows for morerapid integration of numerous third-party technologies as well as forthe creation of custom in-house solutions.

Encryption of all communications using secure sockets technologies suchas SSL 3.0, and more robust Internet security standards that willsupersede it in the future, will prevent tampering, eavesdropping andmessage forgery. By the same token, computer networks are only as strongas their weakest link, which is often the gateway. Employing the instantsystem “as” this gateway enhances this network security, while at thesame time facilitating faster access to patient records and vitalmedical information for a much broader audience through the Internet.

The present invention makes it fast, economical, convenient andextremely easy for physicians and other medical professionals to makemore extensive use of these records in their daily practice of medicine.The system simultaneously makes it practical for data administratorsboth to manage and economically benefit from this increased demand forpatient records and medical documents they control.

In 1995, Senator Robert Bennett (R-Utah) introduced the so-calledMedical Confidentiality Act of 1995. Although the legislation remainsmired in debate, one thing has become clear from remarks made by boththe staunch advocates for the legislation as well as its numerousdissenting voices, most of which, like the ACLU, and various othercitizen advocates, feel that its protections are inadequate. The fact isthat comprehensive protection must be devised that will guarantee theconfidentiality and integrity of computer-based patient records as wellas the data networks to carry such information.

One of the primary advantages of the instant invention is that it willuse today's advanced technologies in order to create a more secure, moreerror-free and tamper-resistant system for accessing medical recordsthan exists in a non-computerized environment.

According to a TIME/CNN poll, most Americans (87% of respondents)believe patients should be asked for permission every time anyinformation about them is used. The present invention makes it possibleto achieve this ideal for those persons who demand it, and to pass alongthe attendant costs associated with this higher standard ofadministrative care to these persons. Hence, rather than attempt toimpose one solution that will be good for everyone, this invention isdesigned to permit each stakeholder to set their own conditions for thetransfer of this highly personal information. This system operatesstrictly as an honest broker. It negotiates the conditions and thencarries out the transfer of information only AFTER these requirementshave been fulfilled. And when information does move, the system keepscomplete and accurate logs that document exactly what happened, when,why and with who's express consent so that there is strictaccountability.

The instant system's central premise is that the patient has afundamental right to the confidentiality of their records and shouldcontrol that right through specific, informed consent. It reinforces thewidely held conception of privacy in general as well as of the sanctityof the doctor or other trustee relationship by granting the doctor theright, subject to the patient's express permission, to initiate a searchrequest. At the same time, it gives the repositories where these recordsare held the right to stipulate the specific terms and conditions thatmust be fulfilled before they will release documents entrusted to theircare, thereby substantially reducing the risk of litigation allegingbreaches of patient confidentiality. And it carries out all of theselegitimate interests of all parties in a way that is fast, simple to useand easy to audit.

Accordingly, like several existing Internet-based services, the instantinvention consists of the query interface described in the precedingsections and a separate, fully automated Search Agent 22. This automatedsoftware robot will collect data to be stored and queried in the MasterIndex 13 from any records database (or database index) connected to theWeb which is either TCP/IP or HTTP compliant, or whose native languagehas been “translated” into being compliant through one of severalcommercial interface engines and system capabilities the present systemincorporates in the Search Agent itself. Master Index 13 automaticallyproduces links to every word in every record brought back by the SearchAgent 22, eliminates duplicates and uses a ranking system so when doctor10 c performs a query, the most relevant and useful results are morelikely to be reported at the top of the list.

While the invention has been described in connection with a preferredembodiment, it is not intended to limit the scope of the invention tothe particular form set forth, but on the contrary, it is intended tocover such alternatives, modifications, and equivalents as may beincluded within the spirit and scope of the inventions as discussedherein.

While the invention has been described in connection with a preferredembodiment, it is not intended to limit the scope of the invention tothe particular form set forth, but on the contrary, it is intended tocover such alternatives, modifications, and equivalents as may beincluded within the spirit and scope of the invention as defined by theappended claims.

1. A computer-implemented method of brokering health-related data,comprising: receiving, from a requesting entity, a network request forhealth-related data pertaining to individuals; identifyinghealth-related data satisfying the request; applying one or morepolicies to the identified health-related data; wherein the policiesdefine access restrictions to the identified health-related data of therespective individuals to whom the identified health-related datapertains and wherein the applied polices are defined by the respectiveindividuals to whom the identified health-related data pertains; andreturning to the requesting entity, via a network communication, aportion of the health-related data as permitted by the applied policiesand which satisfies the network request.
 2. The method of claim 1,further comprising, prior to returning the portion of the health-relateddata to the requesting entity, requesting permission from the respectiveindividuals to whom the health-related data pertains.
 3. The method ofclaim 1, further comprising, receiving a network request from a givenone of the individuals to modify the respective policy of the givenindividual.
 4. The method of claim 1, wherein at least one of theapplied policies specifies a level of anonymity for the respectiveindividual.
 5. The method of claim 1, wherein at least one of theapplied policies specifies that the identity of the respectiveindividual may not be disclosed, while health related data of therespective individual may be disclosed.
 6. The method of claim 1,further comprising charging a fee to the requesting entity for theportion of health-related data.
 7. The method of claim 1, furthercomprising: receiving, from a requesting entity, another network requestconfigured to identify qualified participants for a clinical trial;accessing the one or more policies; wherein the policies defineselection criteria specifying under which conditions the respectiveindividuals are willing to participate in clinical trials; and on thebasis of the selection criteria, identifying one or more individuals whosatisfy the network request configured to identify qualifiedparticipants for the clinical trial.
 8. The method of claim 1, whereinthe network request specifies at least one of: the name of therespective requesting entities and a manner in which the requestedhealth-related data is to be used.
 9. The method of claim 1, wherein thenetwork request specifies that the requested health-related data is tobe used for a clinical trial and wherein whether the portion of thehealth-related data returned to the requesting entity includeshealth-related data for a given individual depends on whether therespective policy for the given individual indicates a willingness toparticipate in clinical trials.
 10. The method of claim 1, wherein thenetwork request specifies that the requested health-related data is tobe used for a research project, and wherein whether the portion of thehealth-related data returned to the requesting entity includeshealth-related data for a given individual depends on whether therespective policy for the given individual allows accessibility to thehealth-related data of the given individual for use in researchprojects.
 11. The method of claim 1, wherein the access restrictionsdefined by the policies are based on how the requested health-relateddata is to be used by the requesting entity.
 12. A computer-implementedmethod of brokering health-related data, comprising: receiving, from arequesting entity, a first network request for health-related datapertaining to individuals; identifying health-related data satisfyingthe request; applying one or more policies to the identifiedhealth-related data; wherein the policies define access restrictions tothe identified health-related data of the respective individuals to whomthe identified health-related data pertains; wherein the applied policesare defined by the respective individuals to whom the identifiedhealth-related data pertains; and wherein at least one of the appliedpolicies specifies that the identity of the respective individual is toremain anonymous, while health-related data of the respective individualmay be disclosed; returning, via a network communication, a portion ofthe health-related data as permitted by the applied policies and whichsatisfies the first network request; receiving, from the requestingentity, a second network request indicating an interest in contactingthe anonymous individual; and notifying the anonymous individual of thesecond network request while maintaining the anonymity of the anonymousindividual relative to the requesting entity.
 13. The method of claim12, further comprising: receiving a third network request configured toidentify qualified participants for a clinical trial; accessing the oneor more policies; wherein the policies define selection criteriaspecifying under which conditions the respective individuals are willingto participate in clinical trials; and on the basis of the selectioncriteria, identifying one or more individuals who satisfy the thirdnetwork request configured to identify qualified participants for theclinical trial.
 14. The method of claim 12, wherein the accessrestrictions defined by the policies are based on how the requestedhealth-related data is to be used by the requesting entity.
 15. Themethod of claim 12, further comprising charging a fee to the requestingentity for the portion of health-related data.
 16. A system, comprising:a database containing health-related data pertaining to individuals; aplurality of attributes defining access restrictions to thehealth-related data, wherein the polices are defined by the respectiveindividuals to whom the identified health-related data pertains; a workflow agent configured to: receive, from requesting entities, networkrequests for the health-related data; identify health-related datasatisfying the request and the access restrictions of the policies; andreturn, via a network communication, a portion of the health-relateddata as permitted by the policies and which satisfies the respectivenetwork requests.
 17. The system of claim 16, wherein the requestspecifies at least one of: the name of the respective requestingentities and a manner in which the requested health-related data is tobe used.
 18. The system of claim 16, wherein the attributes definefurther selection criteria specifying under which conditions therespective individuals are willing to participate in clinical trials andwherein the broker is further configured to: receive network requestsconfigured to identify qualified participants for a clinical trial;access the policies; and on the basis of the selection criteria,identify one or more individuals who satisfy the network requestsconfigured to identify qualified participants for the clinical trial.19. The system of claim 16, further comprising a registration databasefor storing registration information from the requesting entities; theregistration information comprising at least one of a name of therequesting entities and a manner in which the requested health-relateddata is to be used; and wherein the broker is further configured toidentify the health-related data on the basis of the registrationinformation.
 20. The system of claim 16, wherein the broker is furtherconfigured to charge a fee to the requesting entity for the portion ofhealth-related data returned to the requesting entity.